netbird/management/server/http/middleware/access_control.go

package middleware

import (
	"net/http"
	"regexp"

	log "github.com/sirupsen/logrus"

	"github.com/netbirdio/netbird/management/server/http/util"
	"github.com/netbirdio/netbird/management/server/status"

	"github.com/netbirdio/netbird/management/server/jwtclaims"
)

type IsUserAdminFunc func(claims jwtclaims.AuthorizationClaims) (bool, error)

// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only
type AccessControl struct {
	isUserAdmin   IsUserAdminFunc
	claimsExtract jwtclaims.ClaimsExtractor
}

// NewAccessControl instance constructor
func NewAccessControl(audience, userIDClaim string, isUserAdmin IsUserAdminFunc) *AccessControl {
	return &AccessControl{
		isUserAdmin: isUserAdmin,
		claimsExtract: *jwtclaims.NewClaimsExtractor(
			jwtclaims.WithAudience(audience),
			jwtclaims.WithUserIDClaim(userIDClaim),
		),
	}
}

// Handler method of the middleware which forbids all modify requests for non admin users
// It also adds
func (a *AccessControl) Handler(h http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		claims := a.claimsExtract.FromRequestContext(r)

		ok, err := a.isUserAdmin(claims)
		if err != nil {
			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
			return
		}
		if !ok {
			switch r.Method {
			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:

				ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
				if err != nil {
					log.Debugf("Regex failed")
					util.WriteError(status.Errorf(status.Internal, ""), w)
					return
				}
				if ok {
					log.Debugf("Valid Path")
					h.ServeHTTP(w, r)
					return
				}

				util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
				return
			}
		}

		h.ServeHTTP(w, r)
	})
}
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`package middleware`

			`import (`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`"net/http"`
disable access control for token endpoint 2023-03-30 19:03:44 +02:00			`"regexp"`

			`log "github.com/sirupsen/logrus"`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00
Replace gRPC errors in business logic with internal ones (#558) 2022-11-11 20:36:45 +01:00			`"github.com/netbirdio/netbird/management/server/http/util"`
			`"github.com/netbirdio/netbird/management/server/status"`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00
			`"github.com/netbirdio/netbird/management/server/jwtclaims"`
			`)`

			`type IsUserAdminFunc func(claims jwtclaims.AuthorizationClaims) (bool, error)`

Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only`
			`type AccessControl struct {`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`isUserAdmin IsUserAdminFunc`
			`claimsExtract jwtclaims.ClaimsExtractor`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`}`

Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`// NewAccessControl instance constructor`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`func NewAccessControl(audience, userIDClaim string, isUserAdmin IsUserAdminFunc) *AccessControl {`
Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`return &AccessControl{`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`isUserAdmin: isUserAdmin,`
			`claimsExtract: *jwtclaims.NewClaimsExtractor(`
			`jwtclaims.WithAudience(audience),`
			`jwtclaims.WithUserIDClaim(userIDClaim),`
			`),`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`}`
			`}`

Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`// Handler method of the middleware which forbids all modify requests for non admin users`
			`// It also adds`
			`func (a *AccessControl) Handler(h http.Handler) http.Handler {`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`claims := a.claimsExtract.FromRequestContext(r)`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00
change order for access control checks and aquire account lock after global lock 2023-03-31 12:03:53 +02:00			`ok, err := a.isUserAdmin(claims)`
disable access control for token endpoint 2023-03-30 19:03:44 +02:00			`if err != nil {`
			`util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)`
			`return`
			`}`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`if !ok {`
			`switch r.Method {`
			`case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:`
change order for access control checks and aquire account lock after global lock 2023-03-31 12:03:53 +02:00
			ok, err := regexp.MatchString(`^./api/users/./tokens.*$`, r.URL.Path)
			`if err != nil {`
			`log.Debugf("Regex failed")`
			`util.WriteError(status.Errorf(status.Internal, ""), w)`
			`return`
			`}`
			`if ok {`
			`log.Debugf("Valid Path")`
			`h.ServeHTTP(w, r)`
			`return`
			`}`

Replace gRPC errors in business logic with internal ones (#558) 2022-11-11 20:36:45 +01:00			`util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`return`
			`}`
			`}`

			`h.ServeHTTP(w, r)`
			`})`
			`}`